Can home automation schemes threaten the protection of personal data? The CNIL (French national agency regulating data protection) and the FIEEC (French Federation of Electric, Electronic and Communication Industries) are taking a close look at this issue. Indeed, “smart houses” will soon enable various home appliances to communicate with one another (the set-top box with the shutters, for example). What will happen to the data equipment suppliers have access to? The CNIL and the FIEEC organized a colloquium on October 3rd, 2012, where players in the IT sector tackled this topic. Beyond the privacy question, the issue of data ownership was raised.

According to Jean-Pierre Ménéla, representative of the Gimelec (French industry association for electrical equipment), smart grids and smart buildings are no revolution but a mere evolution necessary for the improvement of grid efficiency and the integration of renewable energy sources. Nevertheless, grid interconnection raises the issue of data management. In 2007, a researcher of the Aurora research project managed to physically damage an electric grid. The challenge is therefore to rethink the whole system by taking technical innovation into account and to ensure that the data transmission chain runs properly, from data generation to data storage.

Lionel Tardy, representative from the French département of Haute-Savoie, voices his concerns. According to him, the legal framework must be very precise and harmonized at the European level to prevent data recovery without individual knowledge. The CNIL recalls that such activities are already defined by a strict legal framework. Manufacturers and grid managers infringing data anonymization rules risk criminal penalties as defined by the July 2001 law. Besides, the French agency has a very broad understanding of personal data, defined as “any information that can identify a person or their life habits”. The CNIL therefore says it is ready to play the role of facilitator in support of manufacturers willing to develop these new activities.

Manufacturers strive to gain their customers’ trust

More than just a data security issue, this is all about a contract of trust between companies and their customers, which in turn will allow for the development of home automation schemes in the coming years. Industrials have to ensure that only relevant information to trigger life scenarios users are used. One must make sure that only the information useful for the programming of the users’ living scenarios is used. According to Marc Jalabert, Head of the Consumers and Operators Division at Microsoft France, manufacturers must use the following decision-making model: “Data-Information-Knowledge-Wisdom”.

This relationship of trust will be beneficial to the environment. For instance, a study conducted by Boston Consulting Group recently showed that charging an electric car during peak demand periods causes CO2 emissions to go up. Using relevant information, it should be possible for a private vehicle to charge automatically during off-peak periods; this would require the processing of personal data, though in a predetermined framework.

Privacy by design: an adequate solution?

In order to guarantee the protection of users’ data, manufacturers promote “privacy by design”, that is anonymizing data as soon as products or services are designed. Concretely, this means integrating parameters preventing the collection, storage or transmission of data upstream devices designed. The Linky metre by ERdF (French company managing the public electricity distribution network) set a precedent in this respect. In order to launch its smart metre project, ERdF had to cooperate with the CNIL and let the government know which kind of user data it would gather. The CNIL gave its opinion on the matter; therefore the metre will only release data necessary to run the grid. Data will only be stored for two months, that is the time deemed necessary to ensure the grid’s security and prevent failures.

By way of conclusion, the CNIL and the FIEEC put an emphasis on the opportunities these new activities open up. The challenge is to go step by step and comply with data protection rules from the outset. The CNIL and FIEEC seem to share a common vision of these problems, as was shown by the frequent repetition of the following phrase during the colloquium: “neither wishful thinking nor disaster mongering!”